8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.021 Low
EPSS
Percentile
89.0%
CVE-2016-1521
An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service. An attacker can provide a malicious font to trigger this vulnerability.
Libgraphite 2-1.2.4
<http://sourceforge.net/projects/silgraphite/files/graphite2/>
When reading an invalid font where the loca table size is set to 0 an out of bounds read will occur.
At line 187 in GlyphCache.cpp, the function Loader is defined which loads a number of tables from the font, including the loca table. At line 206 it will then call the function TtfUtil:LocaLookup with arguments that provide the number of glyphs, the local table and its size:
if (TtfUtil::LocaLookup(numglyphsgraphics-1, _loca, _loca.size(), _head) == sizet(-1))
At line 1164 in this function (in file TtfUtil.cpp), the loca table will be accessed using the number of glyphs:
return be::peek(pLongTable + nGlyphId);
A size check is performed at line 1161, but since the size is set to 0, this will always pass.
if (nGlyphId < (lLocaSize >> 2) - 1)
This will read out of the bounds of the table by an arbitrary 16-byte number, which will cause a denial of service and could potentially lead to an information leak.
The malicious font provided here can be used to generate the problem by using the βsimpleβ test program provided with libgraphite and the parameter βtestβ: ./simple maliciousfont test
Yves Younan
Vulnerability Reports Next Report
TALOS-2016-0026
Previous Report
TALOS-2016-0060
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.021 Low
EPSS
Percentile
89.0%